CVE-2024-47002
Published: 15 January 2025
Description
A html code injection vulnerability exists in the vlan management part of Observium CE 24.4.13528. A specially crafted HTTP request can lead to an arbitrary html code. An authenticated user would need to click a malicious link provided by the attacker.
Security Summary
CVE-2024-47002 is an HTML code injection vulnerability in the VLAN management component of Observium Community Edition (CE) version 24.4.13528. The flaw, classified under CWE-79 (Cross-Site Scripting), allows a specially crafted HTTP request to inject arbitrary HTML code. It was published on 2025-01-15 with a CVSS v3.1 base score of 8.7 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N), indicating high severity due to network accessibility, low attack complexity, and significant impacts on confidentiality and integrity.
Exploitation requires an authenticated user with low privileges to click a malicious link supplied by the attacker. Once triggered, the injected HTML code executes in the victim's browser context, potentially enabling session hijacking, data theft, or further phishing attacks within the Observium interface. The changed scope (S:C) amplifies risks by allowing cross-origin effects.
The primary advisory from Talos Intelligence (TALOS-2024-2091) details the vulnerability at https://talosintelligence.com/vulnerability_reports/TALOS-2024-2091. Security practitioners should consult this report for recommended mitigations, as no specific patches are detailed in the available information.
Details
- CWE(s)